This lecture is given by Neil Daswani, who has a Ph.D. from Stanford and currently works at Google as a security engineer. He is also an author of a book entitled "Foundations of Security: What Every Programmer Needs to Know", which teaches you state-of-the-art software security design principles, methodology, and concrete programming techniques you need to build secure software systems.

Neil talks about top three web application vulnerabilities that cybercriminals use to steal money. These three vulnerabilities are:

SQL Injection attacks,

Cross-Site Request Forgery (XSRF) attacks, and

Cross-Site Script Inclusion (XSSI) attacks.

I was surprised that he did not cover plain, old Cross-Site Scripting (XSS) attacks, but jumped right to dynamic XSS. You'll have to get familiar with this type attack on your own. See the XSS Faq and XSS Cheat Sheet for more information!

#1 In the SQL injection 'union' attack (clever!) how did the attacker know the columns names and types... inside job? Surely probing on that by an attacker would leave massive traces

#2. In the XSS attack, surely the site would not announce itself as 'evil.org' ... would the name be utterly shrouded, or would there be a placeholder name, and if so... what would Alice be aware of it? ah the zero-size iframe... clever again

To John H:
Every database platform has known system tables that can be queried to learn about the tables/columns/types. It's a good idea to limit web account access to only stored procedures with specific roles.

So this is all covered in only 1 of the many chapters in the Web Application Hackers Handbook. There is so much more to it than just XSS and SQL Injection, have you considered traversal attacks or XQuery attacks.